Asklemmy

43393 readers

1461 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
[email protected]: a community for finding communities

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago

MODERATORS

[email protected]

198

Can I refuse MS Authenticator? (lemmy.ml)

submitted 3 months ago by [email protected] to c/[email protected]

247 comments fedilink hide all child comments

So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

you are viewing a single comment's thread
view the rest of the comments

[–] sylver_dragon 1 points 3 months ago

You work in cybersecurity, yet you have company-controlled assets on your personal phone?
X DOUBT
Either you don’t give a single sh*t about your personal privacy, or…

Here's the rub, I've been through enough of this to take a realistic, risk based approach to security. Knee-jerk reactions like the one you are giving are not really useful. Step back for a moment and think about what's going on here. First and foremost, this isn't MDM on a device, that's entirely different from installing the MS Authenticator app from the public Google Play store and adding a work account to it. So no, the company is not able to go rooting around in the user's device willy-nilly. Second, even with MDM, IT control of the user's device isn't what it used to be. Google implemented containerization of work profiles some time back. Without Work Profiles and containerization, I would agree that enrolling my personal device in MDM carries too much risk to my privacy and also having my device remote wiped. But, the advance of technology has altered that calculus. While there are still risks to consider with having a work profile on my device, it's also not as worrisome as it used to be.

Security isn't some binary thing. There is no hard and fast set of rules, given from some entity on high. It's a game of deciding what risks are acceptable and what risks need to be mitigated and how. If you work for a company which you believe is trying to use MDM to go rooting around in your personal device, I'd suggest finding an new job. This isn't to say you should trust the company 100%; but, you need to take a realistic look at what the ask is, what risks it carries and if the trade-off in convenience is worth it. The risks inherent in the MS Authenticator app are basically nil. At least on Android, you can audit it's permissions and disable the ones you don't want it to have. The app provides zero control over the device to the company. Really, there's just nothing there to get your panties in a bunch about.

But hey, if knee-jerk reactions are your thing, then you do you. This whole tempest in a teapot still amounts to "Microsoft bad".